The latest version of Kubernetes does not support Docker as a container runtime anymore. That is why many Kubernetes administrators have migrated their cluster’s container runtime from docker to another container runtime like containerd or cri-o. Or they will do that soon.

References

  • https://gist.github.com/mamiu/4944e10305bc1c3af84946b33237b0e9

Old: entering a Container as root with Docker

Most containers that run on Kubernetes clusters do not run as root. But what, if you want to test a container and for that, you want to install and test some software manually before you create a new container image? With Docker that was easy. Just enter the container as root (id=0) and do with the container, whatever you want to do:

docker exec -it --rm -u 0 <container-id> bash

Now, that the containers are no Docker containers anymore, this is not possible anymore.

New: entering a Contaner as root with containerd or CRI-O

Prepare

However, you can runc to enter the container as root. Say, you want to enter a shell as root user in the container running on my-pod on my-namespace. First, you need to calculate the container ID. With that information you can enter the container using runc like follows:

# INPUT
N=my-namespace

# CALCULATE
POD=$(kubectl -n $N get pod | tail -1 | awk '{print $1}') 
# or define static POD, if needed: 
# POD=my-pod
CONTAINER_ID=$(kubectl -n $N get pod $POD -o jsonpath="{.status.containerStatuses[].containerID}" | sed 's/.*\/\///')

containerd: Entering a Container as root with runc

If you are using containerd, you now can enter the root session with a single command:

# RUN SHELL AS ROOT
sudo runc --root /run/containerd/runc/k8s.io/ exec -t -u 0 $CONTAINER_ID sh

That’s it! You do not even need to install runc, since runc is part of the installation package if you have installed containerd.

CRI-O: Entering a Container as root with nsenter

With CRI-O, it is slightly more complex, since crtictl does not support entering a root session into a container.

# Retrieve host pid:
HOST_PID=$(crictl inspect $CONTAINER_ID | jq '.info.pid')

# RUN SHELL AS ROOT
nsenter -t ${HOST_PID} -a

That’s it! You do not even need to install runc, since runc is part of the installation package if you have installed containerd (and I guess, also with cri-o…).

P.S.: If you still need to migrate your Kubernetes cluster from Docker container runtime to containerd runtime, you might be interested in this blog post:

Migrate Kubernetes Runtime from Docker to containerd

Also, if you want to migrate from containerd to CRI-O, see this blog post:

Migrate Kubernetes Runtime from Containerd to CRI-O

 

Comments

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.